The Information Commissioner’s Office is investigating Sony’s data breach to see if there is a case to be answered

The Information Commissioner’s Office (ICO) is investigating the recent Sony network breach with a view to taking action on behalf of the company’s three million registered UK users.

An ICO spokesperson said, “The Information Commissioner’s Office takes data protection breaches extremely seriously. Any business or organisation that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure.”

Another Week Of Silence

Sony has admitted losing 77 million user records in a security breach on 20 April. The company immediately closed down both its Playstation Network and the Qriocity music service but it has come under heavy criticism for not revealing the reason to its customers until a week later.

The ICO commented, “We have recently been informed of an incident which appears to involve Sony. We have contacted Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office.”

The commissioner has, however, been criticised lately for a weak showing when it comes to fining companies that contravene the Data Protection Act. In the past year, despite several hundred reported breaches, only four companies have been fined. The penalties amount to a total of £310,000 despite the ICO having the power to levy up to £500,000 in any single action.

Sony now claims that the payment card details, which it maintains may or may not have been stolen, were encrypted. This alleviates some of the pressure, both from the UK and US governments, but analysts feel that, in this case especially, encryption is not enough.

“Sony has said the data was encrypted, but in some ways this is even more disturbing,” said Bill Tarzey, analyst and director at Quocirca, “the thief must have had access to the keys, suggesting a level of privileged users access and authentication had been achieved. It seems Sony is also unsure what has actually been accessed which implies data access auditing measures were not in place.”

Sony has said that the personal details and the payment card information were stored in separate databases but still seems unsure whether any card details were stolen. It estimates that the websites will be down for at least another week while its data infrastructure is moved to “a new, more secure location”.

I think there is a lesson to be learned from Sony in terms of data breaches. If you were a user of the PlayStation network there’s some free professional security advice here: http://bit.ly/mP23hU
I’m really interested to see what the ICOs next actions are going to be on this case…